Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Docker Cryptojacking (Trojan) – Malware

March 1, 2025
Reading Time: 3 mins read
in Malware
Docker Cryptojacking (Trojan) – Malware

Docker Cryptojacking

Type of Malware

Trojan

Date of Initial Activity

2024

Motivation

Financial Gain

Attack Vectors

Cloud Services

Targeted Systems

Linux

Overview

A recently uncovered cryptojacking campaign has raised alarm bells within the cybersecurity community, as it exploits vulnerabilities in Docker and Kubernetes environments to mine cryptocurrency at a massive scale. The campaign, discovered by Datadog Security Research, takes advantage of misconfigurations and exposed API endpoints within Docker and Kubernetes, leveraging these cloud-native technologies to spread malware and hijack computing resources across compromised networks. This attack targets both individual containers and larger cloud infrastructures, such as Docker Swarm clusters and Kubernetes nodes, utilizing sophisticated techniques to propagate, evade detection, and maximize its cryptocurrency mining operations. At the heart of the attack is the exploitation of Docker Engine’s open API, which is often exposed to the internet without proper authentication. This allows attackers to deploy malicious containers on vulnerable systems, marking the first step in their strategy. The attackers then deploy a cryptocurrency mining script, XMRig, onto the infected containers, which mines Monero (XMR), a privacy-focused cryptocurrency. The miners consume significant computational resources, slowing down system performance and causing operational disruptions. The threat actors also employ advanced persistence techniques to ensure the malware remains hidden and operates uninterrupted, including methods like Dynamic Linker Hijacking, which allows the miner to avoid detection by system monitoring tools.

Targets

Information

How they operate

The campaign begins with the identification of vulnerable Docker API endpoints that are exposed to the internet without proper authentication. Attackers use internet scanning tools like Masscan and ZGrab to locate these endpoints on compromised nodes. Once a vulnerable Docker endpoint is located, the attackers issue commands through the API to spawn a malicious Alpine container. The container is configured to mount the host’s file system, allowing the malware to execute commands that retrieve an initialization script from an external server. This script, once executed, sets the stage for the broader infection and begins the process of installing the mining software. If the system is running with root privileges, the malware downloads the official XMRig setup script from GitHub and executes it on the infected container. If the system is non-root, the malware installs a custom version of XMRig as an alternative method of deploying the miner. To ensure the mining process runs undetected, the malware takes several steps to hide its presence. A process hider, compiled as a Linux shared object, is downloaded from the attacker-controlled server and saved to the “/etc/rig.so” directory. The shared object is then registered with the dynamic linker through a technique known as Dynamic Linker Hijacking. This ensures that any mining process, such as XMRig, remains invisible to system monitoring tools like top or ps, as the hider continuously masks the mining software from being detected in the system’s process listings. Additionally, the malware executes several other payloads designed to persist on the compromised system and further its lateral movement across the network. Lateral movement is a key component of this cryptojacking campaign. Once the initial container is infected, the malware deploys additional scripts to spread the infection to other containers, Docker hosts, and Kubernetes clusters. The kube.lateral.sh script, for example, is specifically designed to target Kubernetes nodes. This script disables system firewalls, removes monitoring tools, and manipulates the system’s DNS configurations to ensure smooth operation of the malware. It also installs tools like Masscan and ZGrab, which the attackers use to scan for Kubernetes nodes with exposed Kubelet APIs. By exploiting the Kubelet API, attackers can deploy additional containers to further propagate the malware and maintain control over the network. The attackers also utilize other techniques to ensure persistence, such as modifying SSH configurations to enable remote access and execute additional malicious scripts across different cloud environments. This multi-layered approach to cryptojacking demonstrates the growing sophistication of cybercriminals targeting cloud-native technologies, such as Docker and Kubernetes. The ability to exploit widely used orchestration platforms for mining cryptocurrency at scale is a reminder of the potential vulnerabilities present in these environments. It also highlights the importance of securing containerized infrastructures and ensuring that Docker and Kubernetes APIs are properly protected from unauthorized access. As cloud computing continues to grow, organizations must be vigilant in securing their systems against these evolving threats to prevent financial losses and operational disruptions.  
References
  • Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scale
Tags: APIAttackersCryptojackingDatadog Security ResearchDockerDocker CryptojackingKubernetesLinuxMalwareMasscanTrojansZGrab
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

New OttoKit Flaw Targets WordPress Sites

Mirai Botnet Exploits Vulnerabilities in IoT

Critical Kibana Flaws Allows Code Execution

Subscribe to our newsletter

    Latest Incidents

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    UK Legal Aid Agency Faces Cyber Incident

    South African Airways Hit by Cyberattack

    Coweta County School System Cyberattack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial